Privacy policy
Nexus Wizard Privacy Policy
North Star Counselling and Therapy Limited ("we," "us," "our") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, share, and protect personal data when you use Nexus Wizard (the "Service"), in compliance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. We recognise that therapists and clients may be located outside the United Kingdom; where local privacy or health-data laws apply (for example, the United States Health Insurance Portability and Accountability Act (HIPAA) or other state privacy laws), we will comply with those laws in addition to UK GDPR, to the extent applicable.
1. Data Controller and Contact Details
Data Controller:
When you use Nexus Wizard as a therapist, you are the Data Controller for any client information you enter. North Star Counselling and Therapy Limited acts as a Data Processor on your behalf.
Our relationship with Subscribers as Data Controllers is governed by a written Data Processing Agreement ("DPA") [V1]as required under UK GDPR. This agreement sets out the subject matter, duration, nature, and purpose of processing, as well as the obligations and rights of both parties. A copy of the DPA is provided to Subscribers upon subscription.
Our contact:
North Star Counselling and Therapy Limited
60 St. Enoch Square, Level 5, Glasgow, United Kingdom, G1 4AG
Email : privacy@nexuswizard.com
Data Protection Officer (DPO): dpo@nexuswizard.com
2. What Data We Collect
A. Data Provided by Therapists ("Subscribers"):
- Name, email, contact information, therapist credentials
- Username, password, and account details
- Payment and subscription information (where applicable)
B. Data Entered about Clients ("Client Data"):
- Name and contact details
- Demographics (e.g. date of birth, gender)
- Case History and Background information[V2]
- Session notes and case records
- Psychometric assessment responses and outcomes
- Appointment dates and status
Note: This may include "special category" health data in circumstances permitted under the UK GDPR. The lawful basis for processing and any applicable condition under the provisions of the UK GDPR must be determined by the Data Controller.
C. Usage Data:
- IP address and log-in records
- Device/browser technical data
- Usage statistics (anonymous, aggregate)
3. How and Why We Use Your Data
We process your data for the following purposes:
| Purpose | Basis |
|---|---|
| To create and manage your account | Contractual necessity |
| To provide our SaaS service | Contractual necessity |
| To secure and maintain our system | Legal, Legitimate interest |
| For support and troubleshooting | Contractual necessity, Legitimate interest |
| To take payment/manage subscription | Contractual necessity |
| To contact you about service updates | Contractual necessity, Legitimate interest |
| To meet legal/regulatory duties | Legal obligation |
| To analyse aggregated service usage | Legitimate interest (anonymised & non-identifiable) |
Data Controllers are responsible for ensuring a lawful basis for entering and processing client data, including obtaining explicit consent where required by law. We do not determine the lawful basis for processing Client Data; this is the responsibility of the Data Controller.
North Star Counselling and Therapy Limited shall process Client Data solely under the documented instructions of the Data Controller and for the purposes set out in this Privacy Policy. We will not process Client Data for any other purpose unless required to do so by United Kingdom law or other applicable law; in such cases, we will inform the Data Controller before processing, unless the law prohibits such notice.
4. How We Share Data
We do not sell or share your personal data for marketing. We may share personal data only as follows:
- Hosting partners: Secure UK/EU-based cloud providers.
- Payment processors: Only for subscription and billing.
- Technical support partners (including in India): Restricted, logged, and strictly limited to anonymised technical data, unless you explicitly request support requiring identifiable data access and have obtained consent from all affected clients.
- Legal/regulatory authorities: If legally required.
We require all partners to adhere to strict confidentiality and data protection standards.
5. International Transfers
If technical support or maintenance is provided from outside the UK/EU (e.g., India), such access will only occur:
- For support purposes;
- For a time-limited duration (typically a maximum of 48 hours);
- With explicit, documented consent from the subscriber, confirming all necessary client consents have been obtained.
All international transfers comply with the UK Standard Contractual Clauses or other approved mechanisms under UK GDPR.
6. Data Security
We use appropriate technical and organisational safeguards, including:
- Encryption of data in transit and at rest;
- Access controls (role-based and password-protected);
- Secure, UK/EU-based cloud hosting;
- Employee training and non-disclosure agreements;
- Regular system monitoring and auditing;
- Regular third-party penetration testing to assess and strengthen system security;
- Support for multi-factor authentication (MFA) to enhance account protection.
In the event of a personal data breach, we will notify the relevant Data Controller without undue delay after becoming aware of it. Our notification will include all information necessary to enable the Data Controller to meet their legal obligations, including a description of the breach, likely consequences, and measures taken or proposed to address it.
7. Data Retention
- Therapists control how long client data remains in the platform, subject to local clinical/legal obligations.
- After termination of your account, we delete or return all personal data within 30 days, unless otherwise required by law.
8. Your Rights
You (or, for Client Data, your clients) have the right to:
- Access your personal data;
- Request correction or deletion of data;
- Restrict or object to processing;
- Request a copy in machine-readable format (portability);
- Withdraw consent (where applicable).
Exercise these rights by contacting us at hello@nexuswizard.com. We will respond to your request within one month of receipt of the request. Where requests are complex or numerous, we may extend this period by up to two further months, in accordance with UK GDPR, and will inform you of any such extension within the initial one-month period, together with the reasons for the delay.
9. Cookies and Analytics
We may use cookies or similar technologies to support security and system functionality. We use cookies for marketing or advertising. For more detailed information on the specific cookies we use, their purposes and duration, please refer to our separate Cookie Notice available on our website. You can control cookies through your browser settings.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify account holders of material changes via email or via the platform. Current version is always available on our website.
11. Complaints
If you have any concerns about your data, please contact us at hello@nexuswizard.com. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk.
12. Compliance with Other Laws
Nexus Wizard may be used by therapists and clients located outside the United Kingdom. In addition to UK GDPR and the Data Protection Act 2018, we will take reasonable steps to comply with any other applicable data-protection or health-privacy laws, to the extent they apply to our processing of personal data, including but not limited to the United States Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws, provided they do not conflict with the United Kingdom law. If you have specific compliance requirements, please contact our DPO to discuss how we can accommodate them.
By using Nexus Wizard, you agree to the terms of this Privacy Policy and acknowledge your professional responsibilities as a data controller under UK GDPR.
Last updated: 31 August 2025
